WatersWorks by John K. Waters

RSA Preview: HP Security Mavens on the Cybercrime Marketplace

The annual crypto-uber-geek, cyber-security trade show, better known as the RSA Conference, gets underway next week in San Francisco. I love this event. The content is broad and deep and sometimes downright scary. Even registering for the thing can be unsettling: never have I had to work so hard to create a password. And you need a personal access code to get on the wireless network at the show. So cool.

I got a nice warm up for the event earlier this month when I attended a roundtable discussion among HP security mavens. The company is planning to make several major announcements around security at the end of this month, and it'll soon be releasing its "2012 Cyber Security Risk Report." The roundtable included execs from the various groups HP assembled last year to form its Security Intelligence and Risk Management platform. The discussion focused on trends in cybercrime, the evolving marketplace for information theft and the best enterprise defense strategies.

Art Gilliland, SVP of HP's Software Enterprise Security Products group (and former Symantec exec), kicked off the conversation by suggesting that the press, and even some security professionals, spend too much time talking about individual perpetrators.

"Focusing on specific actors is a bit of a red herring," he said. "It misses the fact that there's just so much money to be made from the sale of stolen information that a real marketplace has grown up around cybercrime."

That's the bad news; the good news is markets exhibit recognizable behaviors than can be exploited.

"Markets do very specific things," Gilliland pointed out. "They organize participants, for example, and they create specialization around a process. If companies are going to become more effective at responding to security threats, they're going to need to think about how they disrupt the marketplace of the adversary."

HP uses something called a "kill chain," a traditional process chain originally created by Lockheed Martin, to describe the five steps of a security breach. The kill chain steps include: 1) Research (the bad guys create profiles of their targets); 2) Infiltration (they break in); 3) Discovery (they map the assets and find the good stuff); 4) Capture (they take control of the assets or sensitive information); 5) Exfiltration (they steal or destroy it).

"I believe that the reason we're seeing such an increase in breaches and threats is that we, as an industry, are not building the capabilities necessary to disrupt this process," Gilliland said.

Instead, a great deal of emphasis is placed on the technology infrastructure for blocking the adversaries -- anti-virus software, firewalls, etc. But, as Gilliland put it, "this marketplace innovates around us," and a break in is all but inevitable. "If you believe that that's true -- and I think most security experts do -- then we had better get much better at catching them inside before they've stolen the data," he said.

"It's critical that organizations get to a point where they can respond very quickly to each of those steps," said Scott Lambert, director of HP's DVlabs. "That's how we change the game."

Digital Vaccine Labs was the research organization within security vendor TippingPoint, which HP acquired in 2010 when it bought 3Com. HP describes DVlabs as "the heart" of the company's IT security research and intelligence.

Lambert allowed that firewalls and intrusion detection-and-prevention systems provided protection from what attackers were leveraging when those technologies where created, and they're still effective at blocking certain classes of attacks. But today the focus of the attackers is shifting away from perimeter defenses and toward the individual. Vulnerabilities in social networks, for example, are attracting a new generation of cybercriminals.

Lambert also added to my growing security vocabulary list with "OODA Loop:" observe, orient, decide, and act. It's a military term applied to combat operations; whoever gets through the loop faster is likely to be the winner.

"At each of the stages in the kill chain, there is a set of assessments that must be made and actions that must be taken," he said. "The attacker is going to keep coming back in; shut down one door, and they'll find another one. So we need to be quicker at identifying that they're inside, telling them to go away, shutting those doors, and getting on right on top of them when they come back."

Jacob West, CTO of Fortify Products within HP's Enterprise Security group, weighed in on the subject of security in the application layer. Although network and end-point security still get the lion's share of a typical organization's security budget, he said, app security is finally getting the attention it deserves.

"Ten years ago there wasn't a field called 'software security,' West said. "Security was still pixy dust that you layered on top of your software after you built it. We've come a long way since then, and now we're seeing substantial investment in securing the application layer."

The reason for the increased investment, West said, is the growing popularity of the app layer as a target. But he added that it's a mistake to expect top notch developers to also become security experts.

"You just can't be both," he said. "So what we in the industry need to do is to enable those developers—and everyone else who contributes to the development lifecycle -- to understand that they're making security-relevant decisions and give them the processes and technologies to make those decisions in the right way when they're faced with them."

In 2007 West co-authored Secure Programming with Static Analysis Addison-Wesley Professional, July 9, 2007) with Brian Chess, founder of security vendor Fortify Software, which HP acquired in 2010. Fortify was known for its static application security analysis technology, and West and Chess's book is something of a classic in that field.

"I do think a lot of development organizations recognize that security is now a core requirement of the software they build," West added. "They can't make every developer a security expert, but they know that software those developers eventually produce needs to be secure. And do see an increasing number of firms with large development investments tying developer performance and compensation to security metrics."

And yet many organizations have yet to implement even basic perimeter security, said Joni Kahn, SVP of Services and Support in HP's ArcSight group, let alone addressing more sophisticated threats. Kahn runs professional services at HP and is actively involved in breach remediation and response. (HP acquired security information and event management provider ArcSight in 2010.)

"We spend a lot of time talking about the business processes that allow you to leverage the technology in an effective way," she said.

To my dumb question of the day, "Why haven't we fixed all this yet?" Kahn replied, "Well, that's a little bit like asking, Why haven't we stopped all burglaries? There's money in this, and crime pays."

BTW: Gilliland will be talking about how market forces are organizing our adversaries at the RSA Conference. His talk is entitled: "Criminal Education: Lessons from the Criminals and their Methods."